Working with Trusted Trust Publishers

The development and use of certificates of trust through Microsoft® Authenticode® technology helps to provide a secure method of assuring the viability of programs written by third-party vendors. Trusted Trust Publishers (previously known as Trusted Sources) provides a means of cataloging and tracking back to the source who wrote a program and assures rigorous methods were employed to identify the program as safe for use. The use of trusted Trust Publishers allows users to choose whether to allow executables to run from identifiable vendors.

Administrators have the option of turning off the trusted Trust Publishers feature by setting security to Low, which is not recommended; or by enabling a list of trusted Trust Publishers as a default. When trusted Trust Publishers evaluation is enabled, any executables (add-ins, applets, macros, EXE programs, and so forth) are automatically run from the user's computer, providing the certificate of trust was accepted and stored in the trusted Trust Publishers segment of a user's registry.

How trusted Trust Publishers works

The trusted Trust Publishers feature requires the use of a special embedded digital signature that is applied to an executable. This digital signature includes a certificate, which identifies the source of the executable.

A digital signature is like a seal of approval. A signature provides some degree of assurance to the user that the code is safe to execute because of the cost and rigorous process required to obtain the signature and apply it to an executable. The signature also provides assurance in other ways: it ensures the code is from the source listed in the certificate that was used to sign the code, and it ensures the code has not been tampered with after the creators of the certificate signed it.

A digital signature requires the owners of the signature to identify themselves to a certificate authority which then issues a certificate of trust. In this way, a digital signature can be used to prove that the data or code is really from the user or source that the digital signature claims it is from, and it provides a means of tracing the data or code back to the people who developed it.

Accepting certificates of trust in Office applications

If a document contains a digitally signed executable and a user attempts to open the document with his or her security set to High or Medium, the user is prompted to trust the source of the certificate if a reference to the certificate is not already present in the trusted Trust Publishers store. If the source is trusted, any subsequent document with an executable signed with the same certificate of trust automatically allows the executable to run under High, Medium, and Low security. If the macro security level is set to Very High, however, then only executables in a trusted location on the user’s hard disk will run.

It is possible to trust all currently installed add-ins and templates on a computer when Microsoft Office is being installed. This allows all files currently installed to the computer, those being installed along with Office, and those already present in the Office templates folder to be trusted even though the files may not be signed.

To specify trusted Trust Publishers in the following Office applications — Word, Access, Excel, Outlook, PowerPoint, or Visio

  1. On the Tools menu, point to Macro, and then click Macro.
  2. To view or remove trusted Trust Publishers, click the Trusted Publishers tab.
  3. To trust all add-ins and templates currently installed on the computer, set the Trust all installed add-ins and templates check box to checked.

Adding trusted Trust Publishers

Users can add trusted Trust Publishers to the local trusted Trust Publishers store by accepting the request to trust a signed executable (an applet, program, and so forth) the first time it attempts to run. Macro security for the Office application must be set to Medium or High to force this request.

It is possible for administrators to add Microsoft or other digital certificates to the list of trusted Trust Publishers without accepting a request to trust the source. In the Custom Installation Wizard or the Custom Maintenance Wizard, administrators can add the digital certificate to the Add the following digital certificates to the list of Trusted Publishers list box in the Specify Office Security Settings page.

For administrators interested in maintaining a specific list of certificates for all users, it is possible to block users from adding to the list of trusted Trust Publishers by enforcing a policy. To block users from making any changes to the trusted Trust Publishers store, use the Office11.adm policy template to set the Microsoft Office 2003 | Security Settings policy of each application to checked (for example, Word: Trust all installed add-ins and templates). Unlike the setting of security options through the Custom Installation Wizard or Custom Maintenance Wizard, the use of a policy forces the implementation of administrative settings on a user's computer whenever the user logs on, dependent on the method used to distribute the policy file. Thus, any changes the user may have made to an application during a previous session are overwritten, if those areas that were changed are controlled by policy.

For installations of Microsoft Office 2003 on Microsoft Windows® 2000, if a list of trusted Trust Publishers is added to the HKCU node of the registry, users can add trusted Trust Publishers through the user interface of an application. However, if the list of trusted Trust Publishers is stored in the HKLM node of the registry, then users cannot add to their list of trusted Trust Publishers (local machine supersedes current user).

For installations of Office 2003 on Windows XP or later, trusted certificates of trust are stored in the Windows Trusted Publisher store. There is also a different dialog displayed for sources on this operating system.


 Note    The policy distribution method used (REG file, Active Directory® versus NT logon) plays a significant role in the effectiveness and timeliness of policy implementation.


Distributing non-Microsoft trusted Trust Publishers

You can distribute non-Microsoft trusted Trust Publishers to users with a new process that requires the creation and use of a CER file. Office includes three CER files which have the information for the three Microsoft certificates needed for Office applications.


Toolbox    The Microsoft CER files are included in the Office Information documents folder that is installed with the Microsoft Office 2003 Editions Resource Kit (ork.exe). They can be found in the %ProgramFiles%\OrkTools\Ork11\Lists and Samples\Office Information folder after installation. You can find this downloadable file on the Office 2003 Resource Kit Downloads page.


Office applications are installed with these certificates, but the certificates are not trusted by default. Administrators must choose to add these as part of the deployment of Office in the Custom Installation Wizard (Specify Office Security Settings page) if they want users to trust Microsoft certificates of trust.

For applications other than those included with Microsoft Office, the CER file can be obtained through two possible methods:

  • By exporting the certificate content from a signed DLL to a CER file.

If you do not have a test installation of Office where you have already trusted this certificate, this is the only method to obtain the certificate information. The procedure for doing this is below.

  • By exporting a trusted certificate from a Trusted Publisher store to a CER file.

If you have a test installation of Office and you have accepted a certificate from an external vendor, you can obtain the certificate information for the creation of a CER file from the Security dialog of any Office application. The procedure for doing this is below.

To export a certificate from a DLL to a CER file

  1. Open Windows Explorer.
  2. Find the signed DLL file that has the certificate you want to distribute.
  3. Right-click on the DLL.
  4. Click Properties.
  5. Click the Digital Signatures tab and select the certificate from the Signatures list, and then click Details.
  6. In the Digital Signatures Detail dialog, click View certificate.
  7. In the Certificate dialog, click the Details tab.
  8. Click Copy to File.
  9. In the resulting Certificate Export Wizard, click Next to go to the Export File Format page.
  10. Select the DER encoded binary X.509 (.CER) option and click Next.
  11. In the File to Export page, provide a path and file name to the folder where you want to save the CER file, and click Next.
  12. Click Finish on the last page to perform the export.

To export a certificate from a Trusted Publisher store to a CER file

  1. Open Microsoft Word, Excel, PowerPoint®, Outlook®, or Access, and click on the Tools menu.
  2. Click Macro and then click Security.
  3. Click the Trusted Publishers tab and select the certificate you want to distribute.
  4. Click View.
  5. In the Certificate dialog, click the Details tab.
  6. Click the Copy to File button.
  7. In the resulting Certificate Export Wizard, click Next to go to the Export File Format page.
  8. Select the DER encoded binary X.509 (.CER) option and click Next.
  9. In the File to Export page, provide a path and file name to the folder where you want to save the CER file, and click Next.
  10. Click Finish on the last page to perform the export.

Distributing CER files

To distribute the CER files you have created, you can use:

  • Active Directory (can be used anytime)
  • The Custom Installation Wizard (only at initial deployment)
  • The Custom Maintenance Wizard (only after deployment)

To include a CER file for propagation to users who are part of Active Directory directory services, use the appropriate method for the type of Office installation you have configured for your installation of Active Directory. For information about Active Directory, search for Active Directory on the Windows 2000 Advanced Server Web site.

To include a CER file in either a transform or CMW file

  1. Start the Custom Installation Wizard or Custom Maintenance Wizard.
  2. Load the appropriate MSI file and provide a transform or configuration maintenance file name.
  3. In the Specify Office Security Settings page, click Add.
  4. Browse for the CER file you created in the previous section and either double-click on it or select it, and then click Add.

This process imports the contents of the CER file into the transform or maintenance file, which will be included with a new or updated installation of Office. The appropriate information is then saved to the registry during either of those installations. Once the CER file is in place, the user can then run executables that were signed with this certificate of trust without being blocked or prompted to accept the certificate.

 
 
Applies to:
Deployment Center 2003